Comments on: RFID and Privacy

By: Byron

Byron — Tue, 12 May 2009 01:07:36 +0000

Advertisement Deleted Byron, any further attempts to post advertising in our comment section, even if topical, will be deleted. - Quincy

By: Blue Sky Sunshine » Biometric Driver License: national ID? …yes.

Blue Sky Sunshine » Biometric Driver License: national ID? …yes. — Sat, 09 May 2009 19:20:22 +0000

[...] April 22, 2009 http://www.thelibertypapers.org/2009/04/22/rfid-and-privacy/ [...]

By: Quincy

Quincy — Thu, 23 Apr 2009 01:15:34 +0000

trumpetbob -

All that says to me is that the Sec. of State either hasn’t considered the privacy implications, as even a rudimentary analysis shows the statement to be false, simply doesn’t care, or along the lines of Jeff’s links, thinks the possibility of surreptitious tracking is a feature not a bug.

By: trumpetbob15

trumpetbob15 — Wed, 22 Apr 2009 23:32:03 +0000

A couple weeks ago, I saw an article from the Sec. of State’s office in Michigan about this. The spokesperson mentioned that no one should be worried because the number on the RFID chip would be random and who would be worried about a random number? The first thought I had, of course, was, “Umm..isn’t a Social Security number randomly generated?” Nice to see this issue getting more attention because though I saw the first article, this hasn’t been included in the media clips I receive. Wonder why…

By: Quincy

Quincy — Wed, 22 Apr 2009 21:14:16 +0000

Encryption could matter –

You’re basically restating what I said here:

The only measure of safety encrypting the number provides is that the RFID tag could not be used to query the DHS database. Of course, since one’s name would be revealed in one of many transactions, even this layer of protection is transitory since the DHS database would contain both name and ID number.

The problem with folks piggybacking is they don’t need access to the DHS database to begin aggregating data based on the RFID signature.

There’s a common misconception that people have a single, invariable identity that can be violated. In truth, people have many identities. The average person has a government identity (SSNs, drivers’ licenses, passports, etc.), a financial identity (credit scores and history, financial records, etc.), a medical identity, a social identity, and a marketing identity (information held by advertisers about one’s preferences and habits).

These identities can exist separately, but they can be correlated when each has enough personally identifiable information. Third party trackers can build the identity of the encrypted signature and then backfill that to find out personally identifiable information leaked through everyday transactions.

With enough personally identifiable information, even the DHS database is an open book. If I have someone’s name, address, date of birth, and social security number, I will be able to find them in the DHS database, even if I don’t know their unencrypted RFID number.

Encryption of the static RFID number simply falls below any reasonable threshold of privacy. Temporal encryption with a one-time code increases the attack surface of the system dramatically, closing one hole by opening another. Encryption is simply not the answer to this problem.

The button idea is interesting, though. In theory, it could prevent the surreptitious reads necessary to do third-party tracking of the sort feared. I’ll have to look into it.

By: Encryption could matter

Encryption could matter — Wed, 22 Apr 2009 20:45:56 +0000

Good point on how a third party could still use an unencrypted number for piggybacking. However, without being able to unlock the encryption, the third party could not use that number to access the database where the information is stored. The rotating encryption would also work. So encryption would be better, but not a total solution. In Ontario they are looking at the RFID having a physical on button, again better, but not perfect. Why have it at all?

By: southernjames

southernjames — Wed, 22 Apr 2009 20:10:52 +0000

Ah, show a little trust; show a little faith. Our benevolent and well meaning comrades in Washington simply wish to be able to monitor our movements and our actions for our own good. This is all for our benefit. It is all for the greater good, the common good, of the People. Things like this will ultimately lead to Universal Happiness and Contentment for the People. Why would anybody who is NOT a DHS defined “right wing extremist” and therefore a potential threat to the peace, contentment, and harmony of all well meaning citizens everywhere, be bothered by this sort of thing?

Perhaps you should be taken, very gently, into custody. And treated. This will be for your own good, and it will help you to feel all bettter. And then become better. You do want to be healed, don’t you?

By: Jeff Molby

Jeff Molby — Wed, 22 Apr 2009 18:42:32 +0000

In the extreme, it would be possible for the government itself to leverage the work of the clearinghouse by purchasing the data and crossing it with the DHS database. While unlikely, this scenario is technically possible.

They’re already doing it. It’s foolish to think that they’d stop if the data got better.

http://www.dhs.gov/xnews/testimony/testimony_1215792529376.shtm

By: Conspirama

Conspirama — Wed, 22 Apr 2009 18:20:55 +0000

The Liberty Papers »Blog Archive » RFID and Privacy…

Instead, they’re offering to “enhance” our license by having a security interview, paying more, and then getting a wireless RFID chip in your license. While the first two requirements seem reasonable, if the part about the wireless RFID ……

By: tfr

tfr — Wed, 22 Apr 2009 18:09:50 +0000

Just wrap it in aluminum foil. Then they’re back to asking to see your papers.